Tag Archives: Asset Management ITAM

Avoid Ransomware Attacks with IT Asset Management

When installing a home security system, it is important to perform a discovery so that you can document all vulnerabilities around the property you wish to secure. Why? Because a security system is worthless if you do not secure every window and door. When implementing an IT security solution to protect your data, it is important to perform a discovery so that you can identify all IT assets that need to be secured.

Unfortunately, many organizations continue to struggle with IT asset management and as a result, assets are often misplaced or lost. Why? Because IT assets are often misplaced or lost when they are changed, updated, relocated, or refreshed. Assets that are misplaced or lost can put an organization at risk because it is not possible to keep an IT asset up-to-date when you don’t see it.

It is no secret that many organizations have recently been hit with ransomware attacks such as WannaCry. On March 14, 2017, Microsoft released a critical patch that protected IT assets from WannaCry ransomware; however, on May 12, 2017, at least 230,000 computers in more than 150 countries were paralyzed by the ransomware.

Why? Because these organizations were not current with their patch and security updates. Many organizations that were hit with the ransomware were running unsupported operating systems like Windows XP and Windows 2003, which Microsoft no longer supports.

The Importance of an IT Asset Database

Maps are critical to generals and commanders who are at war because they provide a complete view of the battlefield. Maps provide details about the landscape along with all its obstacles. When fighting a war, it is important not to be surprised by the enemy. Without maps, generals and commanders would find it very difficult to identify and secure vulnerable areas on the battlefield.

IT asset databases are much like maps that provide a view of the battlefield. When IT can see everything, they are able to see obstacles that are putting the organization at risk. Organizations that want to protect themselves from ransomware attacks need to have reliable IT asset reports so they can see all assets that are vulnerable to a ransomware attack, such as older outdated operating systems and applications.

Organizations that do not have reliable asset reports are at risk. In other words, they are fighting a battle without a reliable map.

To avoid the cost and stress experienced by people who have been impacted by ransomware attacks, get a reliable map, i.e., build an accurate and complete IT asset database using a reliable IT asset management solution. Then build processes and procedures to track the assets throughout their lifecycle.

Security Starts with Discovery

To apply security policies to IT assets, security solutions must see the asset. Historically, organizations have not given much attention to the importance of discovery services and the IT asset database. They view it as a necessity to their security solution instead of a critical component to the business.

If you left one window unlocked in your home, it would not matter that the rest of the windows and doors were locked. Everything must be discovered for complete security. Be sure to choose reliable discovery solutions if you want to ensure your network is secure. An undiscovered device is like an unlocked window.

Summary

Organizations need to implement IT asset management to ensure security is applied to every IT asset on the network. Organizations that are not managing IT assets using ITAM principles do not have a complete security solution. Don’t let your data be compromised by an IT asset that you did not see.

-follow me on Twitter @marcelshaw

Five Reasons the Data Center needs Software License Optimization (Part-1)

Many years ago, I supported document management software used primarily by legal firms. The software provided attorneys with the ability to quickly access legal documents on the network. The software included intelligent searching capabilities, powerful reporting features, and version control for thousands of documents on a local area network. The capabilities we provided boosted the efficiency of legal departments and law firms all over world.

Although we provided a great software package that supported legal departments everywhere, the software alone was useless without the expertise of a legal expert or an attorney. When organizations need legal expertise, they hire legal experts. They don’t rely on legal software alone to handle legal matters.

Hire the Right Experts

When taxes are due, tax accountants are hired or subcontracted versus relying solely on a tax software solution. Software vendors that audit their customers typically employ software license experts along with software tools to perform the audit.

Regarding software license management, I am amazed how many organizations still do not employ or contract with  software license experts in addition to software optimization tools for software license management in the datacenter.

Software audits are on the rise because software vendors are realizing that audits can generate revenue, and that customers are not investing in software license management solutions or experts.

As long as there are organizations that are non-compliant with their software license agreements because of poor license management, software vendors will continue to find software audits to be profitable.  

In a gated Gartner report published May 28, 2014. Gartner claimed: “Tracking license entitlement has become a priority for many organizations as a means to alleviate the anxiety caused by annual software vendor audit. Gartner has seen an exponential increase in the number of contracts it has received from customers looking to purchase an SLOE tool during the past nine months. We don’t expect this trend to slow down…”

It is not practical to rely on IT managers to manage software licenses in the data center unless they have licensing expertise. This would be like having an accountant with very little legal expertise represent the organization in a lawsuit accusing executives of misappropriating funds. Although the accountant could provide the information required to defend against the accusation, the accountant would not have the required expertise to handle legal process, legal negotiation and most importantly, knowledge of local applicable laws.

Here are five good reason’s every organization should consider implementing an efficient software license optimization solution in the datacenter:

  1. Complex License Variations
  2. License vendors make changes which can affect licensing
  3. Technology alone is not able to correctly calculate most server licensing
  4. Market expertise required – Having the right people with the right knowledge
  5. Software Audit Protection

Part 2

In the second installment of this two part series, I will discuss complex license variations, market expertise, software audit protection, and how software licensing can be affected when configuration changes are made in the datacenter.

 

-follow me on Twitter @marcelshaw

Three Tips for IT Asset Management (ITAM) Discovery

Many years ago, I observed a house being built directly behind my house. Once the house was completed, I was surprised when one day workers showed up and began to take the house down. In fact, they took everything apart including the foundation. As it turned out, the foundation was not built correctly. As a result, everything built on top of that foundation was not reliable.

IT discovery is the foundation to your IT asset management (ITAM) solution. If discovery is unreliable, then all of the asset information you are trying collect will not be reliable. According to an article published by computer weekly, “almost 66% of IT managers admit to not having a completely accurate record of their IT assets”

For accurate IT asset discovery, make sure you consider the following guidelines:

  1. Understand the difference between discovery and audit
  2. Don’t Discover everything from the start
  3. Define IT asset reports needed for IT asset management (ITAM)

Understand the Difference between Discovery and Audit

Do not confuse IT asset discovery with an IT asset audit. Discovery tools should allow you to automate manual processes. Gartner defines “discovery” as follows:

IT asset management (ITAM) entails collecting inventory, financial and contractual data to manage the IT asset throughout its life cycle. ITAM depends on robust processes, with tools to automate manual processes. Capturing and integrating autodiscovery/inventory, financial and contractual data in a central repository for all IT assets enables the functions to effectively manage vendors and a software and hardware asset portfolio from requisition through retirement, thus monitoring the asset’s performance throughout its life cycle.

The key difference between discovery and an audit is that an audit is more of a one-time event, whereas, discovery will be on ongoing process. For example, if a technician spends a day with a clipboard inventorying every PC in the organization, then you will have an accurate inventory report for that day only.

If you deploy discovery tools that show when PCs connect to the network, then you will have an accurate report every time you run an inventory report. Discovery tools will also account for PCs not connected to the network by showing you the last time they connected. PCs that do not check-in for a period of time can be flagged as missing in the inventory report.

Be sure to choose tools that can ‘monitor’ critical IT hardware assets such as PCs and Servers. PCs and Servers often contain additional software assets that need to be monitored.

IMPORTANT: If you are not able to see the hardware, then you probably won’t see the software.

IT assets that are not monitored need to check-in to the asset management system on a regular basis. This can be done by setting your discovery tools to run daily or weekly. Discovery tools should then be able to report any changes from the previous inventory scan.

Don’t Discover Everything from the Start

When looking to implement IT asset management, don’t try to do everything at once. Allow time for your asset management solution to mature. If your asset management solution is too complicated, chances are it won’t be successful.

When architecting your asset management solution, be sure to have a clear vision of what you are trying to accomplish. For example, are you able to address the following questions?

  • Why do you need asset management?
  • What do you want to track?
  • How do you want to track assets?
  • What type of reports do you expect?
  • Why do you want those reports?
  • Who will manage and maintain the ITAM solution?

If you don’t clearly define your IT asset management objectives, you could end up giving your employees a lot of unnecessary “busy” work. For example, if an organization is concerned about managing software licenses, it would make sense to build your solution so that it tracks the software, as well as the hardware hosting the software. You could complicate and distort you software asset management objectives if you try to include switches, routers, and printers.

Allow your IT asset management processes to be perfected before expanding the solution to include additional assets such as switches, routers, and printers. It is more important that your solution is successful. Keeping your solution simple from the beginning will increase your chances for success.

A simple and successful IT asset management solution can be matured into a fully functional and reliable solution that follows ITAM best practices.

Trend dashboard

Define IT Asset Reports Needed for IT Asset Management (ITAM)

Reports and dashboards will give you a summary of all your IT assets. Patricia Adams, an ITAM expert says ”by having an understanding of the benefits that a complete end-to-end solution can provide, CIOs, CFO’s and chief security officers (CSO’s) will be better able to address the issues they are facing (many unknowingly) within their particular organization.

As you begin your IT asset management project, define the type of IT asset reports you expect from your solution. This will help you identify what to discover and how often it will be re-discovered.

Be sure to design Business Value Dashboards (BVD) for your solution. BVD’s will help you translate technical information into cost and risk for non-IT management inside the organization. Ultimately, BVD’s will show the value that the IT department brings to the organization by helping executives make informed decisions.

Summary

Don’t let IT asset discovery become a stumbling block to your ITAM solution. Be sure to have clear objectives and a clear vision of the reports that will be needed to support those objectives. Set your discovery tools to discover and monitor assets relevant to your objectives. Most important, don’t overwhelm your IT employees with unnecessary discovery information, especially during the early phases of the project.

-follow me on Twitter @marcelshaw

How IT Asset Management (ITAM) Can Integrate With Your CMDB

Tracking IT assets using ITAM best practices can be confusing for organizations looking to use a Configuration Management Database (CMDB). The confusion stems from a perception that managing a configuration item (CI) and managing an IT asset is the same or very similar. In reality, ITAM and CMDB objectives are quite different.

If you were looking to travel from New York (NY) to London, you would identify the flight to London by a flight number. For example, let’s say the flight you book is identified as flight #192. The airline’s database for flight #192 from NY to London would have a date, time, plane, crew, gate, and any relevant information needed to complete the flight service offering.

2016-07-06_15-21-32

In addition to a database that tracks flights, airlines also have a database that tracks aircraft. The database used to track aircraft logs details about aircraft performance, maintenance, and contracts. This database is used to help airlines identify the lifecycle status of each aircraft. For example, is the aircraft in service or out of service? Is it time to service the aircraft? Is it time to replace the aircraft?

Obviously, Flight #192 needs an aircraft so let’s say that a Boeing 777 identified as B777-1421 is scheduled to support flight #192; however, an issue is discovered with the aircraft. To keep flight #192 in service, imagine the airline replaces the aircraft identified as B777-1421 with a similar aircraft identified as B777-1502.

2016-07-06_15-38-10

Notice that when the aircraft is replaced, the fight number does not change. Flight #192 will continue to be flight #192. Integrating your CMDB with an IT asset management solution should be similar to how an airline integrates their flights database with their aircraft database. An IT asset should be looked at as a supporting component of a configuration item (CI)

The CI can be a single physical asset but in most situations, the CI is a combination of IT assets, such as an email server which consists of hardware and software. Imagine a CI for the email server is identified as “EMAIL-SRV.” Let’s identify the physical server supporting EMAIL-SRV as SRV01.

ITAM CMDB 12

When SRV01 approaches the end of its lifecycle, a change request would be issued to replace the server. Let’s call the replacement server “SRV02”.

ITAM CMDB 9

Upon completion of this change, the CI record would need to be changed to show that it now uses the physical server identified as SRV02; however, the name of the CI, EMAIL-SRV would keep its identity.

ITAM CMDB 5

When you link the physical server to that CI, you will be able to update the CMDB with that server’s specifications logged in the asset management database.

Why should the CMDB and ITAM be separate solutions integrated with each other?

The CMDB and ITAM have much different objectives, so building a single solution to meet both objectives would be challenging. A CI located in a CMDB is tracked because the organization wants to monitor availability, stability, and impact to the organization.

ITAM CMDB 2

CIs use ITIL best practices and processes such as “problem” and “change” for the purpose of maintaining and improving business processes supported by IT assets.

ITAM best practices focus on tracking IT asset inventory (hardware and software) as well as associated contracts, cost centers, lifecycle status, and location.

ITAM CMDB 1

ITAM solutions will assign, unassigned, or re-assigned IT assets to end-users or to CIs so that IT assets are not misplaced or lost. ITAM provides details about the IT asset contracts, warranties, refresh schedules, and cost centers. ITAM primarily focuses on IT assets from an organization’s financial perspective.

Summary

When managing IT assets, use ITAM processes to manage the IT asset inventory. Build integration into the CMDB, then link supporting IT assets to the CI instead of recreating the IT asset in the CMDB. When choosing software tools, choose tools that provide seamless integration between the CMDB database and the ITAM database.

-follow me on Twitter @marcelshaw

Three Ways to Avoid a Software Audit

One rainy afternoon several years ago, I waited in a parking lot for a leasing company representative to pick up my car. I leased that car three years earlier so it was time to return it. Unfortunately, I exceeded the mileage in the agreement so I had to provide the representative with a check before he would take back my car. I exceeded the mileage by 3,000 miles and the penalty was 25 cents per mile.

When software auditors come knocking on your door, they are looking to see if your organization has exceeded the number of licenses purchased. Similar to how a penalty is applied for exceeding mileage on a leased car, a penalty is applied when you exceed your license count. These penalties can be very expensive, especially for smaller organizations. To make things worse, many organizations don’t know if they have exceeded their license count and if so, by how many.

Software Vendor Partners and Software Audits

To avoid damaging relationships with customers, software vendors commonly use partners to perform their software audits.

An article posted regarding Microsoft software audits states: “Most often we are seeing Microsoft approach customers via email to conduct a self-audit, but we also see the more invasive, third-party types of audit that will send a shiver down any CIO’s spine.”

Why would Software Vendor Partners Want to Perform Software Audits?

Partners who perform software audits usually receive a percentage of the proceeds from penalties and true-up costs that are billed to an organization for any unlicensed software discovered during the audit. To avoid being targeted by software auditors, you need to understand the motivation of most software auditors—money.

How Can I Avoid a Software Audit?

Software audits are expensive for software vendors and their partners to perform. I recommend three things for any organization looking to avoid a software audit.

  1. Use ITAM software tools
  2. Build accurate software license reports
  3. Demonstrate understanding of your software license agreements

Use ITAM Software Tools

With IT Asset Management (ITAM) tools in place, you will properly discover software assets installed on your network. You will also have normalization capabilities, which will prevent inaccurate software license reporting that is a result of inaccurate data in your database.

ITAM tools that see software utilization can help recover unutilized software licenses. This can be a life-saving feature, or at a minimum, a job saving feature if you exceed your license count and are facing an upcoming software audit. Many organizations have been able to save or re-appropriate funds when renewing software licenses after removing software that is never used by employees.

ITAM SAM

When organizations manage their software using ITAM processes and software, they discourage software auditors hoping to make money from penalties and true-up costs that result from discovering unlicensed software.

In a study, Express Metrics claims: “Respondents whose organizations have implemented IT asset management (ITAM) tools report a 32% lower audit rate within the last two years than organizations with no such tools.”

 Dashboard Blog 4

Build Accurate Software License Reports

Building accurate software reports is critical if you wish to avoid a full software audit. Often times, your software vendor or their third-party contractor will request a report that shows how many licenses you own versus how many you are using. If you are able to provide reports that are accurate and easy to understand, you can avoid a visit from the software auditing team.

Build reports similar to the software auditor’s reports. If your software license report looks like the software auditor’s report, you could lessen the chances that the software auditor will follow up by performing a full onsite software audit. Software audit report templates are available online.

  • Avoid contacting your software vendor or their partners to find sample/template reports.

This might raise a red flag from the software vendor’s perspective which could result in a date with the software auditor. Be advised that some software vendor partners not only sell licenses, they also do software audits.

If the software auditor decides to run their own software tools to build reports, it will be important to have your own software audit reports to address any discrepancies. The worst thing any organization can do is sit back and accept the findings of a software auditor at face value. Mistakes that favor the software auditor will result in unnecessary costs.

Demonstrate Understanding of Your Software License Agreements

It is important to understand your software license agreements, especially if you have to answer questions raised by a software auditor. Much like sharks will target an area where there is blood in the water, software auditors target organizations with a lack of knowledge about their contracts. When software auditors sense compliance issues they might see dollar signs, so if you demonstrate poor understanding about how your software licensing is structured, prepare to spend a day with the auditor at your location.

Summary

There is no indication that software audits are slowing down, so to avoid unexpected expenses as a result of a software audit, organizations should invest in ITAM tools. In a gated Gartner report published May 28, 2014. Gartner claimed:

Tracking license entitlement has become a priority for many organizations as a means to alleviate the anxiety caused by annual software vendor audit. Gartner has seen an exponential increase in the number of contracts it has received from customers looking to purchase an SLOE tool during the past nine months. We don’t expect this trend to slow down…”

No organization is immune from a software audit, however, organizations that demonstrate a good understanding about what they have through accurate software license reports will not be targeted as often as those who demonstrate poor ITAM practices.

-follow me on Twitter @marcelshaw

Three Steps to Start Your ITAM Project

Everyone has experienced the terrible feeling that comes from losing something important, such as your car keys. Has your organization ever misplaced an IT asset? Does your organization know where every IT asset is located and who may have that asset? If not, you might have misplaced an IT asset in the past or worse, you have had to pay money after a software audit.

ITAM principles consist of processes and business practices to efficiently manage IT assets within an organization. They provide methods to manage financial, contractual, and inventory for both hardware and software assets. If ITAM principles are followed, organizations will save time and money by avoiding unexpected true-up costs as a result of software audits and they will avoid unnecessary purchases of hardware and software. If you haven’t started your ITAM project, here are three steps I recommend you follow:

  1. Understand ITAM principles
  2. Define organizational objectives and goals
  3. Choose the right partners

Understand ITAM Principles

When an organization desires to implement an ITAM strategy, it is important to have a trained asset manager that can help define the objectives. ITAM  recommends processes to manage the lifecycle of IT assets. An asset manager applying ITAM principles will help your organization realize the effort it takes to reach asset management objectives. ITAM processes typically touch every department within the organization, so a lot of preparation is required to understand how each department operates. With an accurate understanding of company processes, an efficient strategy can be implemented to migrate an organization to an automated asset management system.

Define Organizational Objectives and Goals

Once you have ITAM knowledge and expertise, you will be ready to define efficient ITAM objectives and processes that will help the organization reach their goals

High level objectives should always begin with having accurate inventory information. To obtain accurate inventory information, organizations need to control the purchase and disposal of hardware and software. There should be discussions about the type of meaningful inventory reports that are needed to help understand what assets are owned, where they are located, who is responsible for them, and if they are used for their intended purpose.

Another objective is to understand the cost of IT assets. Linking assets to contracts will help the organization understand the total cost, including any associated maintenance costs. Furthermore, it is important to gain an understanding about warranty information so that hardware refresh activity is planned and performed properly.

Automation should be part of an organization’s objectives. Automation reduces the risk of human error when applying asset lifecycle management. After goals and objectives are clearly defined, preliminary process information should be gathered in preparation for the next step, which will be to choose a partner that can help build the solution.

Choose the Right Partners

To reach the goal of complete automation, ITAM will require tools and services. A large percentage of the work will be defining the asset lifecycle processes. When choosing partners to help build the automated processes, it is important to choose partners with ITAM expertise so that best practices will be applied. It is important to refine processes so they are efficient and don’t create more work for the IT Help Desk. Poorly designed ITAM processes will increase the overall workload for the IT department, since they will have to spend much of their time troubleshooting problems, fighting political battles with the dissenters, and responding to increased support incidents.

Summary

Not only do ITAM software and hardware inventory tools need to be designed and setup properly, the processes need to be automated and work efficiently. Make sure all those involved, such as approval managers, are properly trained. Make sure all departments are trained to use processes when purchasing new IT assets. With the right partners, you will have the expertise available to understand how to interview employees from all departments in order to understand how processes work within the organization but, most important, they will be able to provide input to the ITAM design which means they are more likely to buy-in to the project.

-follow me on Twitter @marcelshaw

ITAM vs CMDB – Choose the Right Tool

This year, I decided to make some landscaping changes around my property. I have been repairing fences, planting new gardens, and pulling up trees in my efforts to meet the landscaping goals I set. Throughout the process, I learned I do not own the correct tools for many of the tasks I intended to complete. On several occasions, I have improvised using tools in my possession instead of purchasing the recommended tools. For example, I wonder if I should have purchased and used a chain saw to cut down a tree, or was the hand saw I currently own sufficient? And will it continue to be efficient? Only time will tell, but I do fear the outcome from some of my decisions.

To CMDB or Not to CMDB?

For IT asset management and support, ITIL and ITAM provide guidelines for best practices. ITSM and ITAM software are tools that manage and support IT assets and their configuration. An ITSM Configuration Management Database (CMDB) is a tool that documents an IT asset, much like a software tool that provides ITAM functionality. It is important not to confuse the different objectives of the CMDB and ITAM software tools.

  • ITAM objectives focus on managing an IT asset’s overall cost, including ownership, associated contracts with asset lifecycle, warranty, and refresh information. ITAM focuses on IT assets from an organization’s financial perspective.
  • Configuration Management objectives look at IT assets from an operational and support perspective. Asset availability and stability impact an organization’s day-to-day operations, so assets need to be documented along with their configuration and service offerings.

Although the objectives of ITAM and Configuration Management are different, one could argue that the CMDB could easily be used as a tool that can store both discovered ITAM data and Configuration Management data. This is similar to my landscaping question about using a hand saw versus a chain saw to cut down a tree. Is there a difference? Is one more effective than the other, or is the additional tool worth the expense? Regarding ITAM and the CMDB, consider the following three questions:

  1. Can I use the CMDB to store all my ITAM data?
  2. If the CMDB stores ITAM data, would asset reports improve since they are coming from a single database?
  3. Would it be more efficient to use a single database versus two separate databases to manage IT assets?

redblue gloves

To answer these questions I faced-off with Patricia Adams, a recognized ITAM industry expert, so that we could provide two different perspectives for each question.

Can I use the CMDB to store all my ITAM data?

 Red Glove

Marcel Shaw:

The answer is yes, considering most ITSM solutions available today can be configured to store all IT asset data in the CMDB. Be aware that extensive modifications would be required to meet ITAM requirements. Asset properties that ITAM requires would need to be added to the CMDB. The CMDB does not provide discovery capabilities, so be sure to build connectors or integration to external IT asset discovery tools so that IT asset configuration information is discovered and current in the CMDB database. Also, you would need to create IT asset manager roles in the ITSM solution, with appropriate rights to the CMDB for the ITAM administrators. Managing ITAM data in the ITSM solution could make it easier to build and manage request fulfilment processes.

Blue Glove

Patricia Adams:

Data Overload or Data Overlord?

Putting too much data into a CMDB, that might be unrelated to the business problem you are trying to solve or customize. For example, mapping a business service  into the CMDB, could eventually lead to a costly and massive database. The greater the depth of information that is stored , the greater the complexity to manage the data; in other words, going into the weeds on the data will require more time, effort, and human resources in order to maintain the integrity of the data. It can’t be a trusted source if it isn’t accurate. With many people maintaining and making changes to the data, there is a risk that unapproved changes will happen and it might be to business critical CI’s. Limiting the amount of data will also limit the number of people that can make changes to the data, thereby maintaining the integrity.

 If the CMDB stores ITAM data, would asset reports improve since they are coming from a single database?

Red Glove

Marcel Shaw:

Adding detailed IT asset information to the CMDB allows for comprehensive reporting. Creating reports using a single database could make it easier to build IT asset reports. A CMDB offers IT asset relationship information such as configuration, change risk, and impact analysis, whereas a typical ITAM solution generally focuses on peer, parent, and child relationships of an IT asset. If the CMDB stores and manages all ITIL and ITAM asset relationship information, building reports that show IT asset relationships from a single source may be easier and less expensive than building reports using multiple databases. Building reports from multiple data sources can be difficult and may require additional knowledge and training. However, as I stated in my previous answer, extensive modifications to the CMDB would be required to achieve such a goal.

Blue Glove

Patricia Adams:

Reporting Overload! There is a natural tendency to want to consolidate information as much as possible. Nobody wants to log into multiple tools to get an answer to a simple question. However, when there is too much data stored in a CMDB, it becomes difficult to report, sort, and interpret the data. If you wanted to create a constituency of people that look at the same data, an extract would need to be created. This extract might be an XLS file or a mini data mart, depending upon the number of configuration items (CIs) in your CMDB. When running a report, take into account the last time the database was updated with current changes to ensure there isn’t any latency in the data. By putting too much data that might be irrelevant to relationships or business services, you risk overloading the viewers or users of the data with unnecessary information.

Would it be more efficient to use a single database versus two separate databases to manage IT assets?

Red Glove

Marcel Shaw:

Depending on the size of the organization and the amount of ITAM processes that need to be configured, the CMDB can be a cost effective alternative, providing a simplistic asset management solution. Customization would need to be added to the CMDB, which may be expensive. After applying ITAM capabilities to the CMDB, it would be unlikely that an organization would have a complete ITAM solution. This type of IT asset management may be sufficient for a smaller organization; however, the CMDB would need to be modified so it could handle contract, financial, and lifecycle information. Furthermore, ITSM processes would need to be modified or added to provide ITAM process functionality. Adopting this strategy could benefit an organization because they would not have to purchase a separate software solution nor would they have to train employees how to manage an additional product.

Blue Glove

Patricia Adams:

Use the Right Tool for the Job

Many organizations want to centralize their information in a single, source of truth, but that source might not be the best place to store the data. For example, some organizations want to put contracts, process guidebooks, and policies into their CMDB. By keeping data in a tool that specializes in that function, you can ensure that the functionality is designed to store attributes of information about that item in a reasonable form.

Contracts should be stored in a database that allows you to image them, pull out key dates, create workflows, and associate them with cost centers or groups. This would be either an IT asset management tool or a contract management system. CMDBs are not designed to support this level of detail without extensive customization. Selecting the correct domain tool for the data and then linking or integrating it to the CMDB can ensure that you are not trading off functionality for centralized convenience.

Summary

IT organizations tend to agree that IT asset management is critical for success; however, the way assets are managed varies along with the management tools that are used. Most people I speak with seem to agree on one point; we can do better when it comes to IT asset management. Patricia and I would love to know how your organization manages IT assets. If your organization is either limiting or not limiting the data that goes into a CMDB, please contribute a comment and tell us your approach to configuration and asset management.

Contributors to this Blog:

Co-Authored by Patricia Adams

Graphic by Nicole Shaw @nshaw1991 (copyright)

Edits by Carrie Shaw @carrieshaw and Chase Christensen @chasechris8 >> THANK YOU!!

Three Reasons ITAM Should be Part of Your Security Strategy (Part 2 of 2): Government Security Requirements

If you have ever lost your wallet, I am pretty sure you did not worry about the actual wallet. I live about 45 miles away from Washington, D.C. and two miles from my house is a commuter train. I will never forget the first time I took that train into D.C. After boarding, I realized I did not have my wallet. The train was already on its way, so I was stuck.

That day, all I could think about were the contents of my wallet. My driver’s license, government ID, health ID, and credit cards. If that wallet ended up in the wrong hands, I could have a big mess to cleanup. Although I could cancel my credit cards, my heart was racing at the very thought of someone possibly using my license or health ID to steal my identity.

A computer hard drive is much like a wallet. If it gets lost or stolen, you will probably be more concerned about the contents than the actual hard drive. In 2014, it was reported that 68 percent of all healthcare data breaches since 2010 are due to device theft or loss…not hacking.

Security breaches associated with identity theft reported in the media are typically associated with sophisticated hacking programs. In reality, many security breaches come from computers and laptops that have been misplaced, lost, or stolen. Both the financial and healthcare sectors have been hit hard placing the identity of millions of people at risk.

To protect user identity, government agencies have focused on the financial and healthcare industries with security regulations. Organizations that do not meet security requirements can be fined and even prosecuted.

ITAM processes will help you comply with government security requirements

An important part of security regulations relate to the physical security of the device. The National Cybersecurity Center of Excellence (NCCoE) at the U.S. National Institute of Standards and Technology (NIST) is driven by the cybersecurity needs of American businesses. In an effort to address current security issues in the U.S. financial industry, the group worked with representatives from the private sector to address security problems and to provide solutions to these problems.

The organization created a document called IT ASSET MANAGEMENT: Securing Assets for the Financial Services Sector. The motivation for this document states that an effective ITAM system increases security by providing visibility into what assets are present and what they are doing.

The objective of this document states the following:

“To effectively manage, utilize and secure an asset, you first need to know the asset’s location and function. While many financial sector companies label physical assets with bar codes and track them with a database, this approach does not answer questions such as, “What operating systems are our laptops running?” and “Which devices are vulnerable to the latest threat?” The goal of this project is to provide answers to questions like these by tying existing data systems for physical assets, security systems and IT support into a comprehensive IT asset management (ITAM) system.”

It has become evident to most organizations that IT service management (ITSM) and ITAM solutions play an important role in an organization’s overall security solution. ITAM is not just about tracking a device, it is also about tracking the data on that device.

It is not acceptable for any organization holding private identity information to not know exactly WHERE private information is stored, WHO has access to that information, and WHEN that information is accessed.

To protect the data, it is important to track the location of the asset and maintain a list of who has access to the device. That list should also include physical access and it would not be far-fetched to even add a custodian or cleaning crew to an access list. Furthermore, it important to know if the device is moved, reallocated, serviced or disposed. ITAM solutions should also communicate with ITSM solutions so that change requests to configuration items are properly documented.

ITAM Security Flow Chart

Before a device is secured, it has to be discovered and documented in a database. After security configuration, software, and encryption has been added to the device, the ITAM database needs to have the ability to track the device. Tracking the device would need to include processes that would notify the security team if a device goes missing.

The United States Department of Health & Human Services mandates a security standard called HIPAA.

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

The penalties for healthcare organizations are severe if they are found to be noncompliant with HIPPA requirements. A large component of these requirements addresses the physical devices that contain private patient data which are listed below in this HIPAA checklist:

164.310(a)(1) Facility Access Controls: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

164.310(c) Have you implemented physical safeguards for all workstations that access Electronic Protected Health Information (EPHI) to restrict access to authorized users?

164.310(d)(1) Device and Media Controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility.

164.310(d)(2)(i) Have you implemented policies and procedures to address final disposition of EPHI, and/or hardware or electronic media on which it is stored?

164.310(d)(2)(ii) Have you implemented procedures for removal of EPHI from electronic media before the media are available for reuse?

164.310(d)(2)(iii) Do you maintain a record of the movements of hardware and electronic media and the person responsible for its movement?

164.310(d)(2)(iv) Do you create a retrievable, exact copy of EPHI, when needed, before movement of equipment?

I am aware of a hospital in Florida that makes the internal PC hard drive the primary IT asset that is tracked. They use the serial number to track the status of all hard drives for HIPAA compliance. They also have a locked room with spare hard drives. If a production hard drive fails, it is replaced and its status is changed to repair or dispose in the ITAM database. They also have a process to ensure those drives are properly disposed. As part of the disposal verification process, alerts are in place to notify security if the serial number of a disposed hard drive reappears on another device in the future.

Summary

There is no question that ITAM should play an important role in your overall security strategy. Does your organization protect data by properly managing physical IT assets? Take this self-assessment quiz to see how you are doing.

  1. Does your organization track the name of the person receiving, disposing, reassigning, or moving physical IT assets? YES/NO
  2. Does your organization have policies that limit physical access to IT assets containing sensitive company data? YES/NO
  3. Does your organization enforce policies to track the removal of hardware-containing sensitive data in and out of our facility? YES/NO
  4. Does your organization have policies to sanitize and dispose of end-of-life IT assets? YES/NO
  5. Does your organization have policies to VERIFY that IT assets have been properly disposed? YES/NO
  6. Does your organization sanitize and physically secure IT assets that are currently not in use? YES/NO
  7. Does your organization have policies in place to be alerted in a timely fashion if an IT device is stolen or lost? YES/NO

If you said no to any of these questions, it’s time to make ITAM a part of your security strategy.

-follow me on Twitter @marcelshaw

What to Expect when Expecting a Software Audit

Do you find yourself becoming easily agitated or frustrated? Are you feeling overwhelmed, like you are losing control or need to take control? Maybe you are having difficulty relaxing or quieting your mind. If you feel any or all of these symptoms, you may be experiencing stress as a result of an upcoming software audit.

Expect to be audited

A software audit isn’t personal; however, it is how software companies ensure that customers are paying for every license they have installed. Software audits can also generate revenue for software companies; therefore, auditors tend to target organizations that lack an understanding of their software licenses substantially more often than companies that understand and properly manage their software licenses.

Software audits used to be a rare event for an organization; however, some software companies are performing audits more frequently than in the past. In a report posted by cio.com, 58% of executives surveyed said they have been audited by Microsoft in the last 12 months. The report went on to say that audits from Microsoft have become more frequent in the past five years. “Most often we are seeing Microsoft approach customers via email to conduct a self-audit, but we also see the more invasive, third-party types of audit that will send a shiver down any CIO’s spine.”

It is no longer a question of ‘if’ you will face an audit, it is now a question of ‘when’. Organizations can avoid unexpected costs resulting from a software audit if they invest in tools that accurately report the software installations matched with their software entitlements. First, it is important to understand your software license agreement.

Expect the auditor to understand your software license agreement

A software license agreement can be very complex. One thing to expect from the auditor is that he/she has a thorough understanding of your software agreement. If you do not understand your agreement, you will have to rely on the findings of the auditor.

Endpoint software licenses agreements are not just a question of how many software installations you have versus how many you own, they are also about software entitlement. For example, a software license agreement might state that a license may allow a user to install the software on more than one device. This would be important information when calculating the software entitlement.

Software license agreements become more complex in the data center with software such as Oracle, Microsoft SQL, server virtualization, desktop virtualization, etc. These solutions often use per-processor licensing or multiplexing.

For example, a Licensing Server Quick Reference Guide for SQL Server 2008 R2 explains the license as follows: For any virtual OSE, you can calculate the number of Per Processor Licenses required for the SQL Server edition that you are licensing by dividing data point A (number of virtual processors supporting the virtual OSE) by data point B (# of cores [if hyperthreading is turned off] or threads [if hyperthreading is turned on] per physical processor). If the result is not a whole number, round up to the next whole number.

The complexity as shown above has opened the door for mistakes. An article by Computer Weekly claims “Along with economic pressure, the survey of 92 senior decision makers reported that technological changes such as virtualization have also driven the increase in audits. The complexity of those technologies makes it harder for companies to be sure they are using them properly.”

Once you have a good understanding of your software license agreement, you will be able to apply your software asset management tools more effectively

Expect to pay if you are not properly tracking your software licenses

It is important to invest in tools and resources to track software licenses, software deployments, and software entitlements. Accurate reporting of software licenses is critical to avoiding unexpected software license costs resulting from an audit. IT departments need to have the ability to do a self-audit internally or by a third party.

Software auditors are aware of organizations that are not using tools to manage software licenses, and those organizations tend to be targeted for an audit more often. One report states “Respondents whose organizations have implemented IT asset management (ITAM) tools report a 32% lower audit rate within the last two years than organizations with no such tools.”

Software companies are aware of the high cost required to perform a software audit, just as they are aware of the revenue that can be generated by the audit. In an article posted by Martin Thompson on the ITAM Review, he states “Because audits are very expensive, a vendor doesn’t undertake them lightly and if you have received a request for an audit it is no longer about the deterrent value of an audit, but because the vendor has decided that there is a strong chance that an audit of your company will bring in more money than it will cost to carry out the audit.”

Expect to pay retroactive maintenance fees for unlicensed software

If a software audit reveals you are using more licenses than you own, expect to pay retroactive maintenance for those licenses. That’s right, you won’t just pay the cost of the license, expect to pay more. Think of it as a penalty similar to paying your taxes after the deadline.

An article published in PC World states, “If a customer is found to be out of compliance, IBM asks them to buy the right licenses and pay two years of retroactive maintenance fees.”

Summary

To reduce the stress and costs that result from a software audit, I recommend the following:

  • Understand your Software License Agreements
  • Track software installations with Software Asset Management tools
  • Enable your IT Departments to do self-audits or contract with a third party that can do it for you on a regular basis.

Surviving a Software Audit (Part 1 of 2): How ITAM will Cover Your Assets

You are going to be audited…I don’t think there is any way to phrase that sentence in such a way as to make it seem like everything will be just fine. When someone tells you that you will be audited, they might as well say they are coming to disrupt your ongoing projects, tasks, and ultimately, your life.

Whether you are facing a personal audit from your government’s tax revenue agency, or from an agency or association authorized to audit software licenses in the IT services organization you are in charge of running, the stress of an audit can be excruciating.

“The five vendors mostly likely to audit corporate software licenses are Microsoft, Adobe, Autodesk, Oracle, and SAP, in that order” according to an Information Week article dated January 28, 2014. They also stated that “Companies with 5,000 to 9,999 employees were the most audited, followed by firms with 10,000 to 25,000 employees.”

Software license auditing departments from software manufacturers are usually revenue generating and profitable within their organizations. It is much like saying a police department is a profitable organization within a government agency. For example, The State of Virginia raked in $101 million in speeding tickets last year. It was reported that, ‘It appears that some communities are falling into the trap of using ‘traffic enforcement as a mechanism to raise revenue.’

Software license auditors are often referred to as the ‘software police’. It is no coincidence that when a software manufacturer’s sales revenues are down, the software license auditors tend to be more active. As long as there are companies mismanaging their software assets, there will be a revenue opportunity for software license auditors.

Implementing Asset Management Makes You Less Attractive to Software License Auditors

By implementing an ITAM strategy, your organization becomes less attractive to those software license auditors who, at the end of the day, need to make money to justify their cause. As further evidence of this, Express Metrics claimed: “Respondents whose organizations have implemented IT asset management (ITAM) tools report a 32% lower audit rate within the last two years than organizations with no such tools.”

How an ITAM Strategy Will Help You Survive a Software Audit

With ITAM, prior to the software audit, you will be able to do the following:

  • Discover, validate, and reconcile assets on the network
  • Track and manage lifecycle change and audit history
  • Leverage approved standards for asset selection
  • Define and control asset management processes and operations

ITAM SAM

With ITAM, during the software audit, your company will be able to:

  • Communicate what assets you have
  • Communicate what the assets are used for
  • Show the auditors where they are located
  • Prove legal ownership, including documentation and media
  • Ensure compliance with contracts and government regulations
  • Show tracked software compliance reports to defend any discrepancies the auditor may claim

Software License Optimization and Entitlement (SLOE) Tools vs Asset Management using ITAM processes

There might be some people who believe they have their asset management problems solved by only using SLOE tools. I beg to differ. If you are employed by the legal industry, the health industry, the financial industry, or a government agency, I strongly recommend you know exactly where all your hard drives are located. Anything that holds data needs to be tracked.

ITAM

Complete asset management, which includes both hardware and software, should be the goal of every IT organization. In a blog planned for later this month, I will address the security issues you have when you do not track hardware assets along with your software assets.

How to Assess a Software License Optimization and Entitlement Tool is a gated document that was published by Gartner on May 28, 2014. In that report, Gartner stated the following:

Tracking license entitlement has become a priority for many organizations as a means to alleviate the anxiety caused by annual software vendor audit. Gartner has seen an exponential increase in the number of contracts it has received from customers looking to purchase an SLOE tool during the past nine months. We don’t expect this trend to slow down, because more than 50 organizations are actively pursuing this technology.”

In Part 2 of this series, I will talk about using SLOE tools as part of a software license reclamation strategy. I have seen companies save up to one million dollars in software renewals when they make software license reclamation part of their asset management strategy. I will address the following steps in my next post:

  1. Discover Software
  2. Assess Software Usage
  3. Software License Reclamation

To be continued…

Surviving a Software Audit (Part 2 of 2): Three Steps for Software License Reclamation

-follow me on Twitter @marcelshaw